Trust l l l Trustworthy entity has sufficient credible evidence leading one to believe that the system will meet a set of requirements Trust is a measure of trustworthiness relying on the evidence Assurance is confidence that an entity meets its security requirements based on evidence provided by the application of assurance techniques l SDLC, Formal methods, design analysis, testing etc. 3

Models l System assembly from reusable components l l l Depends on whether components are trusted Must assure connections, composition as well Very complex, difficult to assure This is common approach to building secure and trusted systems Extreme programming l l Rapid prototyping and “best practices” Project driven by business decisions Requirements open until project complete Components tested, integrated several times 9

Architectural considerations for assurance l Determine the focus of control of security enforcement mechanism l l l Centralized or Distributed l l Operating system: focus is on data Applications: more on operations/transactions Distribute them among systems/components Tradeoffs? Generally easier to “assure” centralized system Security mechanism may exist in any layer 10

Design meets requirements? l Techniques needed l l Requirements tracing l l To prevent requirements and functionality from being discarded, forgotten, or ignored at lower levels of design Process of identifying specific security requirements that are met by parts of a description Informal Correspondence l Process of showing that a specification is consistent with an adjacent level of specification 15

Class Example: Privacy 1. Pseudonymity – – – 2. Reversible Pseudonimity • 3. The TSF shall ensure that [assignment: set of users and/or subjects] are unable to determine the real user name bound to [assignment: list of subjects and/or operations and/or objects] The TSF shall be able to provide [assignment: number of aliases] aliases of the real user name to [assignment: list of subjects] The TSF shall [selection: determine an alias for a user, accept the alias from the user] and verify that it conforms to the [assignment: alias metric] … Alias Pseudonimity 1. …